Help fortify Expander in our $500,000 Bug Bounty

We’ve launched a $500,000 bug bounty program to identify vulnerabilities in Expander, our groundbreaking zero-knowledge proof (ZKP) system.

Expander represents a significant leap forward in ZKP technology, delivering unmatched proof generation speeds and efficiency. By combining the GKR protocol with advanced polynomial commitment schemes, Expander achieves linear prover time and minimizes computational overhead - making it a powerful solution for complex applications like zkBridge and zkML.

Commitment to Security

Security and reliability are our top priorities. To date, Expander has undergone extensive testing and reviews to validate its performance. As we prepare for broader deployment, this $500,000 Bug Bounty program reinforces our commitment to safeguarding Expander’s integrity.

Bug Bounty Scope

The program focuses exclusively on vulnerabilities within the Expander proof system, including its core components and associated libraries.

The following are excluded from the program’s scope:

• Third-party contracts or code not developed by Polyhedra.
• Known issues documented in audits.
• Bugs in external applications using Expander.
• Vulnerabilities flagged in previous assessments.

How to Submit a Report

Submit your report via the google form within 24 hours of discovery. To ensure eligibility for rewards, reports must:

1. Include detailed reproduction steps and potential impact.
2. Remain confidential until resolved.
3. Comply with the program’s full rules and disclosure requirements.
4. Submit the bug description through google form 

Submissions leading to vulnerability, unique fixes and code changes may receive public acknowledgment, with your permission.

Reward Amount

The following table outlines typical rewards for the most common classes of bugs, depending on the affected project tier.

Bug Hunting Rule

The bug bounty program is an experimental and discretionary rewards program for our active community to encourage and reward those who are helping to improve the platform. We can cancel the program at any time, and awards are at the discretion of the Polyhedra Network team.

• Issues without a description or have already been submitted by another user or are already known to team members are not eligible for bounty rewards
• Public disclosure of a vulnerability or reporting it to other parties without prior agreement makes it ineligible for a bounty.
• Team member of Polyhedra Network is not eligible for the reward
• We consider a number of variables in determining reward tiers and eligibility. All terms related to an award are at the discretion of the Polyhedra Network team.

The $500,000 Bug Bounty is live

Dive into the Expander codebase today and submit vulnerabilities through the google form.

Stay connected with the latest developments by following us on Twitter: @PolyhedraZK.